diff options
| author | tb <> | 2024-10-18 17:27:07 +0000 |
|---|---|---|
| committer | tb <> | 2024-10-18 17:27:07 +0000 |
| commit | d0a0731baa6c11e828c6eaf5bad6b696b7970bcc (patch) | |
| tree | 21c2d8d99a6ad3f5138b72666bb9a53810ea3608 /src/lib/libcrypto/ec/ec_local.h | |
| parent | ff67d4fbe3dfed9b7d4e988f959ca076ed5b87ec (diff) | |
| download | openbsd-d0a0731baa6c11e828c6eaf5bad6b696b7970bcc.tar.gz openbsd-d0a0731baa6c11e828c6eaf5bad6b696b7970bcc.tar.bz2 openbsd-d0a0731baa6c11e828c6eaf5bad6b696b7970bcc.zip | |
Enforce that EC Parameters correspond to a builtin curve
EC parameters are very general. While there are some minimal sanity checks,
for the parameters due to DoS risks found in the last decade, the elliptic
curve code is poorly written and a target rich environment for NULL
dereferences, busy loops, expensive computations and whatever other
nastiness you can think of. It is not too hard to come up with parameters
that reach very ugly code. While we have removed for the worst of it (the
"fast" nist code and GF2m come to mind), the code very much resembles the
Augean Stables.
Unfortunately, curve parameters are still in use - even mandatory in some
contexts - for example in machine-readable travel documents signed by ICAO
country signing certification authorities (see ICAO Doc 9303).
To avoid many of these DoS vectors, start enforcing that we know what the
curve parameters are about, namely that they correspond to a builtin curve.
This way we know that the parameters are at least as good as the standards
we implement and checking this is cheap:
Translate curve parameters into the ad hoc representation in the builtin
curve code and check there's a match. That's very cheap since most curves
are distinguished by cofactor and parameter length and we need to use an
actual parameter comparison for at most half a dozen curves, usually only
one or two.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/ec/ec_local.h')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_local.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h index ca55770ba8..b837e291f7 100644 --- a/src/lib/libcrypto/ec/ec_local.h +++ b/src/lib/libcrypto/ec/ec_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_local.h,v 1.29 2024/10/15 06:27:43 tb Exp $ */ | 1 | /* $OpenBSD: ec_local.h,v 1.30 2024/10/18 17:27:07 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -355,6 +355,8 @@ int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p, | |||
| 355 | int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, | 355 | int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, |
| 356 | const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); | 356 | const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); |
| 357 | 357 | ||
| 358 | int ec_group_is_builtin_curve(const EC_GROUP *group); | ||
| 359 | |||
| 358 | /* Public API in OpenSSL */ | 360 | /* Public API in OpenSSL */ |
| 359 | const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group); | 361 | const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group); |
| 360 | const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); | 362 | const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); |